User Tools

Site Tools


articles:proxmox_span

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
articles:proxmox_span [2018/04/27 17:27] veeraarticles:proxmox_span [2018/04/27 17:52] (current) – [Add a new interface to a VM using this bridge vmbr7] veera
Line 2: Line 2:
  
  
-Proxmox VE is a leading enterprise virtualization platform that uses a KVM based hypervisor to bring you very high performance with minimal overhead. We like Proxmox for NSM (Network Security Monitoring) applications. In this article we talk about how you can create a Proxmox Virtual Machine running TrisulNSM and how you can connect a port span cable and bring the traffic into the virtual machine.+Proxmox VE is a leading enterprise virtualization platform that uses a KVM based hypervisor along with a nice web based management interface. We like Proxmox for NSM (Network Security Monitoring) applications due to its higher performance 
 + 
 +In this article we talk about how you can create a Proxmox Virtual Machine running TrisulNSM and how you can connect a port span cable and bring the traffic into the virtual machine.
  
  
 ===== The setup ===== ===== The setup =====
 +
 +The challenge is to map a single physical port on the server running Proxmox to an interval VM which will be running Trisul Network Analytics.  The physical port will be typically connected to a Port Mirror or SPAN port on a switch whose traffic is to be monitored. 
  
 {{:articles:proxmox1.png?600|}} {{:articles:proxmox1.png?600|}}
 +
 +
 +==== Create a new bridge ====
 + 
 +
 +The good news is Proxmox is based on Debian9 and you can login directly to the system and make configuration changes.  Logon to the Proxmox server directly and create a new Bridge and add the physical port as the only member of that bridge.  
 +
 +Edit ''/etc/network/interfaces'' and enter the following
 +
 +<code bash>
 +
 +auto vmbr7
 +iface vmbr7 inet manual
 + bridge_ports enp2s0f1
 + bridge_stp off
 + bridge_fd 0
 + bridge_ageing 0
 +
 +</code>
 +
 +Then 
 +
 +<code>
 +systemctl restart network
 +</code>
 +
 +
 +Basically, this creates a dumb bridge with zero bridge_ageing, so it will just forward all packets to who ever is connected.  
 +
 +Now ''brctl show'' should show you the new bridge. 
 +
 +
 +==== Add a new interface to a VM using this bridge vmbr7 ====
 +
 +Next logon to Proxmox VE and add a new sniffing interface using //Hardware -> Add -> Network Device//
 +
 +Then select the new bridge for this interface as shown below
 +
 +{{:articles:pve1.png?600|}}
 +
 +Then go back and review the VM, there should be TWO intefaces, one for management and the other for the sniffing.  It should look like this.
 +
 +{{:articles:pve2.png?600|}}
 +
 +
 +
 +===== Configure the capture interface within the VM =====
 +
 +Now boot up the VM and you will find two adapters.  Using the MAC address you can go back to the Proxmox UI and determine which adapter maps to which bridge.  Assign an IP address to the management interface and leave the other one without an IP.  
 +
 +Typing ''ifconfig -a''  gives you something like below
 +
 +{{:articles:pve3.png?600|}}
 +
 +
 +<note important>Make sure you do a ifconfig ens19 up. Otherwise you may not be able to capture from that interface</note>
 +
 +
 +We're done.  Now, all  you need to do is capture from ''ens19'' using Trisul Network Analytics. Install Trisul, then go to admin/admin Capture Profiles and select ens19.  
 +
 +
 +Hope this helps. Trisul is designed to be frugal in resource usage , we can install several such Trisul on a single Proxmox platform using this technique. 
 +
 +
 +-end-
 +
 +
 +
 +
 +
 +
  
articles/proxmox_span.1524830273.txt.gz · Last modified: 2018/04/27 17:27 by veera